Kilala.nl - Personal website of Thomas Sluyter

Unimportant background
Login
  RSS feed

About me

Blog archives

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

> Weblog

> Sysadmin articles

> Maths teaching

<< 2 / 2017

The fifth host was a fun one!

2017-03-18 16:52:00

Dot Warner

For those wondering about the seemingly random images with my recent blog posts: they're hints about the relevant host(s) in the PWK labs of Offensive Security. My fifth host was the always adorable Warner sister. 

This was a fun one! My recon consisted of simultaneous Nmap and Nikto scans, both uncovering a few fun things. What caught my eye was the silly 404 image used on the main web server, so I turned to Nikto's results first. It had uncovered both an phpLiteAdmin and a Cuppa CMS install. Both offered interesting possibilities, respectively the uploading of code and the potentia for LFI or RFI. Together, they offered me the opportunity to practice with PHP shellcode, followed by local privilege escallation. Fun and games! 


kilala.nl tags: , , ,

View or add comments (curr. 0)

Four hosts down, sort of

2017-03-15 21:12:00

Tophat! The indisputable leader of the gang!

I've taken a short break from the PWK labs, due to family business. Right before the break I managed to root a host running a specific database platform. I've gathered all the evidence, but the most frustrating thing is that, as you may have read, I can no longer reproduce the break-in!

The fourth host was apparently one of the easier ones in the labs, with many folks on the OffSec forums being about as cordial as the average League or CS:GO player. "Most simplest in the list it took only 15 minutes :p" "omw, enumerate and 15 seconds later done and dusted"

After confirming my ideas about the host with an automated attack in Metasploit, I proceeded to reproduce the attack manually. ExploitDB has a readymade C program that exploits the vulnerability to provide a remote shell. GCC initially refused to compile, because one locally defined function macro required an unloaded library. I'm glad that GCC provided the exact hint that got me on my way :) I've made sure to submit the bugfix to ExploitDB through Github, making it my second fix for EDB! :D

That's four boxes popped and explored. After gaining root on each host, I spend a lot of time combing through files, email boxes and databases, scouring for good hints. All the password hashes get run through hashcat or NTLM Cracker, to attempt lateral movement. 

To quote the Mickey-D's commercials: I'm lovin'it!


kilala.nl tags: , , ,

View or add comments (curr. 0)

Frustration, thy name is reproducability

2017-03-13 21:41:00

On March 2nd, I managed to get into one particular box in the PWK labs using an exploit in MSF. Meterpreter ran and I managed to snag the hash from proof.txt and to dig around a bit more. 

Coming back an hour later, the exploit fails and crashes the target service. No amount of reverting returns the host to such a state that the exploit works. Oh frustration, thy name be reproducability! I discussed the situation with help@offsec and they confirm that the host is working as it should, suggesting that I try to improve my network connection by dropping the VPN's MTU a bit. 

I can only imagine that the one time the exploit worked, one of the other students had done something to the target that rendered it susceptible. Right then... Back to the drawing board!


kilala.nl tags: , , ,

View or add comments (curr. 0)

CISSP certs now come with a spiffy giftbox

2017-03-01 17:10:00

When I renewed my CISSP status a few weeks ago, I knew I'd be getting a new membership card in the mail. What I didn't expect however, was to get a swanky giftbox with a nice presentation of the cert, card and a pin! Looking classy there, ISC2 :)


kilala.nl tags: ,

View or add comments (curr. 0)

<< 2 / 2017